1 / 28

Preserving Evidence

Preserving Evidence. Number one priority Must also find incriminating evidence Must search the contents of the hard drive Can not change the hard drive. Procedure. Retrieve the hard drive from the evidence locker and update the chain of custody record. Calculate the MD5 Hash of the drive.

hiroko
Download Presentation

Preserving Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Preserving Evidence • Number one priority • Must also find incriminating evidence • Must search the contents of the hard drive • Can not change the hard drive

  2. Procedure • Retrieve the hard drive from the evidence locker and update the chain of custody record. • Calculate the MD5 Hash of the drive. • “Image the hard drive.” • Validate the M5D hash of the drive is the same as the MD5 hash of the image. • Make a copy of the “Image” • Store the actual hard drive together with the original “image” in the evidence locker. • Remember to update the chain of custody record.

  3. Procedure (cont’d) • Use the copy of the hard drive image to perform your forensic analysis. • You can always go back to the original image. • Or if necessary you can go back to the hard drive and validate the MD5 hash.

  4. Disk Image • A disk image is an exact copy of everything on the disk. • Not merely a copy of all the files. • It is an exact copy – all mistakes, errors, erasures, dates, times, • etc. • You can prove that it is an exact copy.

  5. Disk Image • Forensic Software does it. • HW can assist. • Software can do it.

  6. Technique must be Validated • NIST - ww.ncjrs.org • Unix command dd • EnCase • SafeBack • etc.

  7. Cautions • The hard drive cannot be accessed. • The hard drive cannot be altered. • The hard drive is sacred. • If you mess with it you are gone!!! • Blame always falls somewhere. • What to do?

  8. Technology to the Rescue • HW – Write blockers • SW – Write blockers

  9. Write Blocker • Write blockers prevent writing to the medium. • The medium can be read but not written to. • The modify, access, create dates cannot not be changed. • The contents cannot be modified.

  10. Example • Floppies – write protect thingee.

  11. HW Write Blocker • Paraben • Accommodates a number of hard drives • Comes with cables • Forensically certified • Standard with Law Enforcement • Necessary for on site image acquisition

  12. SW Imaging • Unix – dd if=??? of=??? • NIST certifies that it does not corrupt the original. • The original and the image are identical. • EnCase • Has an imaging function. • WinHex • Create Disk Image ... • Verifiable exact copy.

  13. Week 4 Lab • Using WinHex image your floppy. Describe procedure in your lab report. • Validate that the copy is exact using MD5 hash signatures. Show in your lab report. • Using the image you made describe some of the contents of the floppy – floppy image. • E-mail the floppy image to yourself so you can use it at home.

  14. Select Start Center

  15. Click open disk

  16. Click OK

  17. Calculate MD5 Hash

  18. Select Raw image Calculate the MD5 Hash Click OK Select a Filename and path Remember where you put the image.

  19. Hash of the Image Is it the same as the floppy disk?

  20. Open raw image file

  21. Find the image file

  22. Open the image file Claculate the MD5 hash of the file. Is it the same?

  23. MD5 Hash of image file

  24. Explorer the floppy image. What files are there?

  25. Week 5 Lab • Create a case folder on your F_Drive. • Using WinHex image your floppy. Save the image in your case folder. Describe procedure in your lab report. • Validate that the copy is exact using MD5 hash signatures. Show in your lab report. • Using the image you made describe some of the contents of the floppy – floppy image. • Recover an image and save it your case folder. • Keep all of your homework in your case folder.

More Related